Is there any available SDK of Twilio or Authy to use for Two Factor Authentication with Cognito?
Or What are the best practices to do User Authentication via Cognito with Two Factor Authentication?
Basically how mobile app authenticate user with Two Factor Authentication by using Cognito for Identity Management?
One important clarification - Cognito doesn't manage users for you. Cognito leverages public providers (facebook, google, amazon, twitter, an existing external provider...etc.) to generate AWS credentials for whatever user 'signs in'. Additionally, there isn't a native MFA mechanism in Cognito as of now.
With that in mind, it should be possible to do it yourself, however you would need to build some additional mechanism. Say you were trying to log into facebook - the common flow would be to:
1) open up app
2) click sign in button
3) sign in to facebook
4) app validates login with facebook, gets generated token
5) app gives generated token to Cognito, gets an id and credentials.
To catch the login event, you would need some kind of back end that intercepts the login event and has some kind of mapping of login to means of authentication, then once that provider approves the login, you can trigger the auth text/push notification...etc.
Update: this is no longer true, the Cognito User Pools service does manage users for you and allows SMS MFA for authentication.
Related
We're trying to implement a Docusign integration for a multi-tenant cloud application (i.e. https://company1.app.com, https://company2.app.com, etc...).
The goal is to allow the tenant admin (our customer) to upload envelopes containing document templates for users to sign when they first login. Each tenant admin will have their own Docusign account/envelopes.
We've implemented a solution for this; however, it requires each tenant admin to create a separate Integration key and go through the process of promoting it to a live account. This is not scalable for us and some of our tenant admins are not tech people, so they have trouble setting this up.
Is there a way to implement the Docusign integration using a single Integration key (our key), but still have tenant admins login with their own Docusign account and upload their own envelopes?
I think you are building a Docusign User Application. You should use the OAuth2 auth flows instead of creating separate Integrator key for each tentant.
A user application is a client that authenticates every end user with DocuSign. These applications are typically web services, mobile applications, or desktop programs that authenticate individual users on the DocuSign platform. Once authenticated, users give consent for the application to display, send, or sign envelopes from their account. For user applications the OAuth2 auth flows are recommended.
A key issue that you may be missing is that your Integration Key works with any account. It is associated with your account just to manage it.
So as CodingDawg says, each of your customers can use your app by logging in with their own user credentials for their own account.
I am trying to understand what is the intended use case for app auth and app users. Im basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I hope this makes sense. Any assistance would be appreciated.
Thanks.
App Auth and App Users -- which is officially called Box Platform -- is essentially a white-labeled version of Box. I think of it this way: "Box" as we know it is software-as-a-service. It offers a web app, mobile apps, and all the trimmings. Box Platform is the platform layer upon which the SaaS is built, providing API-based management of users/content/comments/collaborations/etc. With Box Platform you have a walled garden in which you can build apps that leverage all the features of the APIs, but are not otherwise "Box apps."
I'm basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
This is an appropriate use case. With Box Platform you will be the owner and administrator of a Box enterprise and all the accounts and data contained within.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I think it's generally cleanest to create unique accounts for each user as opposed to giving users a special subdirectory in the admin account. From there you can use the App Auth workflow to get an access token specific to that user.
We used to have an application connector implementing the Document List Service v3 to upload documents to users account. Now that the service will be discontinued starting as of next Monday and we need to migrate to the Drive API/SDK we have the problem to migrate our current login schema .. we are unable to use the OAuth 2 protocol and we need to authenticate users with their username/password credentials.
DocumentsService myService = new DocumentsService("xxx");
myService.setUserCredentials(username, password);
The reason is that our application scans and processes documents asynchronously from MFD devices (printers) and all processing/storage job is done in a different moment on processing servers, thus the limitation that the processing service cannot ask any consens to the user.
We do the same for other online cloud storage application (e.g. Dropbox) where they allow special 'OAuth 1' schema on request for such 'enterprise' situations.
How can we do this with the new Drive API/SDK? I couldn't find anything about that in the documentation rather than the service account, also looks like not suitable.
What you need to do is request authentication from you user once. The server gives you back a refresh token. Your automated application can then use this refresh token to get a new access token. You only need to ask the user one time for authentication. Then everything can run automated.
A service account wont really work in this instance because its meant for use with an account that you the developer own not a users account
Does box.com support 'Autonomous Client' or client credentials grant?
I need to generate access_token programmatically and cannot do the web-server flow.
Can we obtain the access_token using the 'Autonomous Client' or 'client credentials grant' method for box.com APIs?
Box supports a client-credentials grant, but only for access to information that would be available for an anonymous user. It can be used to download openly shared content, or to get information about your application.
For machine-2-machine integrations with Box, Box recommends creating a system-account, and signing in with that account once through the user-flow. If you put the resulting Refresh token into a bootstrap location for your application (like a config file, or a database entry that's used only once) then you can bootstrap your application.
Can someone can give me some insights on how facebook's api login or any api login at all could work with a database mysql? For instance, I could write up a login/registration form and have the user input their information into my database, and when I login, it will direct me to a user's page with PHP's conditions of users password and username/email and it will go through my database to match if it is correct. Also, I can do various things in my site with user's information is in my database
But if the user does not have a username/email and password in my database, but I'm allowing them to access my site with facebook's api login, how does my site's mysql database run with facebook's api?
U need to study OAuth / Oauth2.
Oauth (Open Authorization) is a Standard Protocol for Authorization and Authentication purposes. You can let User's use your API without asking for their login credentials.
A very good link to study OAuth.